Password authentication

ABSTRACT

A user credential comprising a user password and a one-time password (OTP) may be provided to access a computing system. The user password is authenticated and the network connection status of the computing system is determined. If the computing system is offline, the user password and the OTP are stored in memory and the user is granted a first level of access to the computing system. Upon detecting that the network connection status of the computing system has changed to online, the user password and the OTP are provided to an authentication server for authentication. If the authentication of the user password and the OTP is successful, the user is granted a second level of access to the computing system, the second level of access being higher than the first level of access.

TECHNICAL FIELD

Embodiments of the present invention relate to managing a computingsystem, and more specifically, to authentication and/or access for/to acomputing system.

BACKGROUND

Computing systems such as desktop computers, laptop computers, tablets,netbooks, and servers, are now commonly used by various people andorganizations. For example, students may use laptops when they attendclasses on a school campus and employees may use desktops, laptops,tablets and servers when working at corporate/company locations.Computing systems may often be mobile computing systems, such aslaptops, netbooks, smart phones, and personal digital assistants (PDAs).These mobile computing systems allow users to perform tasks at differentlocations (e.g., at home or at a coffee shop, rather than at a corporateoffice), due to the mobility of the mobile computing systems. Mobilecomputing systems may also provide users with convenient access to acomputing system, when the user is not able to access a desktop computeror server. Many users use mobile computing systems because of theconvenience and portability of the mobile computing systems.

As the prevalence of computing systems grows, authentication of usersand system security on the computing systems continues to be animportant concern. Many computing systems use a user password to allow auser access to the computing system (e.g., log into the computingsystem). If a non-authorized person obtains a user's password, then thenon-authorized person may be able to obtain the privileges and the levelof access the user had to the computing system. After gaining theprivileges/access of the user, a non-authorized person may attempt tochange the settings on the computing system, access network resources,and/or attempt to access sensitive data (e.g., access to the user'sfiles on a local hard drive) on the computing system. For example, thenon-authorized person may change network settings on the computingsystem to redirect network traffic to a different server. In anotherexample, the non-authorized person may attempt to install maliciousprograms such as spyware, malware, viruses, trojans, keyloggers, and/orworms on the user's computing system. In a further example, thenon-authorized person may be able connect to the network resources aftergaining the privileges/access of the user. The non-authorized personmight gain access to the network resources such as shared files,documents, emails, network drives, websites, and/or network services, byimpersonating the user (e.g., by using a user's username and/orpassword).

In order to enhance the security of computing systems, some computingsystems use multi-factor authentication. A multi-factor authenticationmay use three authentication factors: 1) something the user knows (e.g.,the user's password); 2) something the user has (e.g., a security tokenor smart card); and 3) something the user is (e.g., a biometric factorsuch as a fingerprint, retinal scan, etc.). One common form ofmulti-factor authentication is two-factor authentication in which thefirst factor is the user password and the second factor is a one-timepassword (OTP). An OTP is generally a password which is valid for onelogin session or transaction. The OTP may be generated by a securitytoken (e.g., a YubiKey® USB token, a physical token, a software token,etc.). A user may input the OTP manually (e.g., via a keyboard), whenlogging onto a computing system or the security token itself may providethe OTP to the computing system when the security token is coupled tothe device (e.g., a YubiKey® token may provide the OTP to the computingsystem via Universal Serial Bus (USB) interface). The OTP provides anextra layer of security in addition to the user password. Sometwo-factor authentication systems may use a Personal IdentificationNumber (PIN) which the user may provide to the security token, beforethe security token generates an OTP. The term OTP, as used herein, mayrefer to the OTP password or may refer to both the OTP and the PINprovided by the user, which may be included as an optional, staticportion of the OTP.

Two-factor authentication systems generally authenticate the OTP beforethe user is given access to the computing system. The OTP is generallyauthenticated by an authentication server. If the computing system isunable to communicate with the authentication server, the computingsystem is unable to authenticate the OTP and the user may be deniedaccess to the computing system.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example, and not by wayof limitation, and can be more fully understood with reference to thefollowing detailed description when considered in connection with thefigures in which:

FIG. 1 is a block diagram of an exemplary system architecture in whichembodiments of the invention may operate.

FIG. 2 is a block diagram illustrating one embodiment of anauthentication tool according to one embodiment.

FIG. 3 is a flow diagram illustrating a method for granting access to acomputing system, in accordance with one embodiment.

FIG. 4 is a flow diagram illustrating a method for granting access to acomputing system, in accordance with another embodiment.

FIG. 5 is a flow diagram illustrating a method for granting access to acomputing system, in accordance with a further embodiment.

FIG. 6 illustrates a diagrammatic representation of a machine in theexemplary form of a computer system, in accordance with one embodiment.

DETAILED DESCRIPTION

A method and system for authentication on a computing system aredescribed. The computing system may be a computing device (e.g., acomputer, a laptop computer, a personal digital assistant (PDA)) or avirtual machine (VM). In one embodiment, a user credential may beprovided by a user to access a computing system, which may be locked.The user may attempt to access the computing system in order to performoperations on the computing system (e.g., install software, accessfiles, change settings, access a memory location, etc.).

An authentication tool may operate on the computing system togrant/allow a user different levels of access to the computing system.The user may provide a credential including a user password and aone-time password (OTP). The authentication tool may grant a uservarying levels of access (e.g., allow different types of operations oraccess to objects in the computing system) based on the validity of theuser password and whether the authentication tool is able toauthenticate the (OTP) and the user password.

In one embodiment, the authentication tool may grant the user a firstlevel of access if the user password is valid but the authenticationtool is unable to authenticate the OTP (e.g., the computing systemcannot communicate with an authentication server). The authenticationtool may also store the OTP and the user password for authentication ata later time. The first level of access may include limited permissionsand/or access to the computing system. For example, the user may beunable to write to files, unable to access certain files, unable toaccess network resources, and/or unable to change configurationsettings, with the first level of access. In another embodiment, theauthentication tool may check whether the computing system is able tocommunicate with the authentication server at a later time (e.g.,periodically check every 60 seconds, 5 minutes, etc.). If the computingsystem is able to communicate with the authentication at the later time,the authentication tool may retrieve the stored OTP and the userpassword and authenticate the stored OTP and the user password with theauthentication server.

In one embodiment, the authentication tool may grant the user a secondlevel of access if the user password is valid and the authenticationtool is able to authenticate the OTP. The second level of access mayinclude more permissions and/or access to the computing system than thefirst level of access. For example, the user may be able to read andwrite to all files, may be able to access network resources, and may beable to change system configuration settings, with the second level ofaccess. In another embodiment, if the OTP is invalid (e.g.,authentication of the OTP fails because the OTP is incorrect) then thecomputing system may perform one or more security measures.

In the following description, numerous details are set forth. It will beapparent, however, to one skilled in the art, that the present inventionmay be practiced without these specific details. In some instances,well-known structures and devices are shown in block diagram form,rather than in detail, in order to avoid obscuring the presentinvention.

FIG. 1 illustrates an exemplary system architecture 100 in whichembodiments of the present invention may operate. The systemarchitecture 100 includes servers 110 coupled to computing systems 101over a network 115. The servers 110 may be a personal computer (PC), aserver computer, a personal digital assistant (PDA), a smart phone, alaptop computer, or any machine capable of executing a set ofinstructions (sequential or otherwise) that specify actions to be takenby that machine. The network 115 may be a private network (e.g., a localarea network (LAN), a wide area network (WAN), intranet, etc.), acorporate network (e.g., a private network for an organization such as acorporation), and/or a public network (e.g., the Internet). The servers110 are also coupled to data storage 120. The data storage 120 includesone or more mass storage devices (e.g., disks), which form a storagepool shared by all of the servers 110 and/or the computing systems 101.The data storage 120 may include files, emails, and/or data (e.g.,sensitive information) which may be accessed by the computing system 101and/or the servers 110.

In one embodiment the servers 110 may be authentication servers. Anauthentication server may authenticate user passwords, OTPs, and/orgrant access to network resources (e.g., other servers) and/or networkservices. An authentication server may also provide an access ticket(e.g., a Kerberos Ticket Granting Ticket (TGT)) to a client (e.g.,computing system 101) after authentication of the user password and/oran OTP. The access ticket (e.g., a TGT) may be used to access networklocations, network resources, and/or network services. In anotherembodiment, the authentication server may be part of a Single Sign-On(SSO) system. In an SSO system, a user is generally authenticated by theauthentication server and the authentication server grants access (e.g.,via a TGT) to multiple devices, network resources, network locations,and/or network services, which use the SSO system for authentication.

An OTP may be an event-based OTP and/or a time-based OTP. A time basedOTP is an OTP which is generated at periodic time intervals. Forexample, a security token may generate a time-based OTP every 60seconds. For a time-based OTP, the security token may be synchronized intime with the authentication server, such that the authentication serveris able to determine which OTP is generated for the current timeinterval. An event-based OTP is an OTP which is generated per logintransaction or event (e.g., per request for an OTP). For example, asecurity token may generate an event-based OTP for every single loginattempt. In another example, a security token may generate an OTP eachtime the user requests an OTP from the security token. A counter may beused to synchronize the OTPs generated by the security token with theauthentication server. For an event-based OTP, the security token may besynchronized by event with the authentication server, such that theauthentication server is able to determine which OTP is generated forthe current event (e.g., login transaction). Certain embodimentsdescribed herein may operate in conjunction with event-based OTPs. Otherembodiments described herein may operate in conjunction with atime-based OTP, where the authentication server is capable of using OTPsgenerated from prior periods of time (e.g., OTPs which were generated inthe past) to authenticate a user. In these embodiments, theauthentication server may store OTPs which were generated at priorperiods of time (e.g., the authentication server may store all OTPsgenerated in the last 2 hours, 24 hours, etc.), or the authenticationserver may re-generate the previously generated OTPs (e.g., regenerateprevious OTPs based on a seed value) so that these prior OTPs may beused to authenticate the user.

The computing systems 101 may include computing devices that have a widerange of processing capabilities such a personal computer (PC), a servercomputer, a personal digital assistant (PDA), a smart phone, a laptopcomputer, a netbook computer, a tablet device, and/or any machinecapable of executing a set of instructions (sequential or otherwise)that specify actions to be taken by that machine. The computing system101 includes an input device 104, a network interface 105, an operatingsystem 102, and an authentication tool 103.

In one embodiment, the input device 104 may include hardware, software,and/or a combination of both. For example, the input device 104 mayinclude, but is not limited to, one or more of a keyboard, a mouse, atouch pad, a touch screen, a card reader (e.g., a smart card reader), aUSB interface (e.g., a USB interface to communicate with a USB tokendevice such as a YubiKey® token), a wireless interface (e.g., aBluetooth interface to communicate with a wireless token device) and/orsoftware and drivers associated with the input device 104. In anotherembodiment, the input device 104 may be used to accept user input (e.g.,accept user credentials). For example, the user may use a keyboard and amouse to enter a user password and/or an OTP. In another example, theuser may use a keyboard and/or mouse to enter a user password and mayuse a USB interface to provide the OTP (e.g., via a YubiKey® token).Although one input device 104 is shown for the computing system 101, inother embodiments, multiple input devices 104 may be present. Forexample, a keyboard, a mouse, a USB interface, and a wireless interfacemay all be in the computing system 101.

In one embodiment, the network interface 105 may be used by thecomputing system 101 to communicate with the network 115, the servers110, and/or the data storage 120. For example, the computing system 101may access data and applications located on the servers 110 and/or datastorage 120 using the network interface 105. In one embodiment, thenetwork interface 105 may be used to communicate with an authenticationserver (e.g., one of the servers 110 may be an authentication server).The network interface 105 may be hardware, software, or a combination ofboth. For example, the network interface 105 may include, but is notlimited to, a network interface card (NIC), a wireless network card,physical cables, and/or software and drivers associated with the networkinterface 105.

In one embodiment, the operating system 102 may manage hardwareresources (e.g., peripheral devices such as a disc drive, input/outputdevices, memory, hard disk etc.), software resources (e.g., drivers,system files, etc.), and may manage execution of applications.

The operating system 102 may include an authentication tool 103. In oneembodiment, the authentication tool 103 may provide users with differentlevels of access to the computing system 101, based on whether a userpassword provided by the user is valid, and whether the authenticationtool 103 is able to authenticate an OTP. For example, if the userpassword is valid but the OTP cannot be authenticated (e.g., because thecomputing system 101 is unable to communicate with an authenticationserver or is offline), the user may be given a first level of accesswhich may include limited permissions and/or access to the computingsystem 101. In another example, if the user password is valid and theOTP can be authenticated (e.g., the computing system 101 is able tocommunicate with an authentication server or is online), then the usermay be given a second level of access to the computing system 101, whichmay include more permissions and/or access to the computing system 101than the first level of access. In one embodiment, the operating system102 may be an operating system with mandatory access control mechanisms(e.g., a Security Enhanced Linux (SELinux) operating system). Thesemandatory access control mechanisms may be used to control the levels ofaccess and/or permissions a user (or an application) may have to files,settings, data, parameters, hardware, and/or network resources of thecomputing system 101.

In one embodiment, the authentication tool 103 may monitor a networkconnection status of the computing system 101 by determining whether thecomputing system 101 is online or offline. For example, theauthentication tool 103 may periodically attempt to communicate with theauthentication server (e.g., attempt to communicate once every 30seconds, 1 minute, 1 hour, etc.). If the authentication tool 103 cancommunicate with the authentication server, then the network connectionstatus of the computing system 101 is determined to be online. If theauthentication tool 103 cannot communicate with the authenticationserver, then the network connection status of the computing system 101is determined to be offline.

Although the authentication tool 103 is shown as part of the operatingsystem 102 in FIG. 1, in another embodiment, the authentication tool 103may be separate from the operating system 102. For example, theauthentication tool 103 may be an application/process executing inconjunction with the operating system 102. In another example, theauthentication tool 103 may include a hardware component, a softwarecomponent, or a combination of both, on the computing system 101.

In one embodiment, a computing system 101 may become disconnected fromthe network 115 (e.g., unable to communicate with the network 115). Forexample, a computing system 101 (e.g., a laptop computer) may beconnected to the network 115 (e.g., a corporate network or a securenetwork) during working hours. When the employee leaves the location andtakes the computing system 101 with him, the computing system 101 may nolonger be connected to the network 115. Because the computing system 101is no longer connected to the network 115, the computing system 101 maynot be able to communicate with the authentication server (e.g., server110) and the authentication tool 103 may not be able to authenticate theOTP. If the authentication tool 103 is able to authenticate the userpassword but not the OTP (e.g., because the network connection status ofthe computing system is offline), the authentication tool 103 will grantthe user a first level of access to the computing system 101 (e.g.,limited permissions and/or access) and store the OTP and user passwordfor authentication at a later time. After granting the first level ofaccess to the computing system 101, if the authentication tool 103 isable to later authenticate the stored OTP and user password (e.g., thenetwork connection status of the computing system 101 has changed toonline), then the authentication tool 103 may grant a second level ofaccess to the computing system 101 (e.g., grant more permissions and/oraccess).

In one embodiment, the authentication tool 103 may communicate withother components of the operating system 102 which may also be used toauthenticate a user (e.g., authenticate credentials provided by theuser). For example, the operating system, 102 may include a pluggableauthentication module (PAM) which may accept credentials provided by auser. In another example, the operating system 102 may include a modulefor authenticating and/or managing access to a remote resource (e.g., asystem security services daemon (SSSD) to authenticate an OTP with theauthentication server). The authentication tool 103 may communicate withthese components (e.g., the PAM and/or the SSSD) when authenticating auser.

In one embodiment, if the authentication tool 103 is unable tocommunicate with the authentication server (e.g., server 110), theauthentication tool 103 may store the OTP in a memory. For example, theauthentication tool 103 may store the last 44 characters of a usercredential (e.g., a user password and a YubiKey® OTP) provided by theuser because the last 44 characters of the user credential correspond tothe YubiKey® OTP. When the authentication tool 103 communicates with theauthentication server at a later time, the OTP may be retrieved from thememory and may be provided to the authentication server forauthentication. In another embodiment, after a user has beenauthenticated, the authentication tool 103 may optionally store the userpassword (e.g., may cache the user password). The cached password may behashed or otherwise encrypted. The cached and/or encrypted password maybe used to authenticate a user during subsequent user logins.

FIG. 2 is a block diagram illustrating one embodiment of anauthentication tool 200. The authentication tool 200 may include acredential receiver 204, a credential verification tool 212, a networkstatus manager 220, and a data store 216. More or less components may beincluded in the authentication tool 200 without loss of generality.

The credential receiver 204 may receive one or more credentials from auser and/or an input device. The credential receiver 204 may operate inconjunction with the input device 104 to receive the user credentials.For example, the user may provide a user password using a keyboard andthe credential receiver 204 may receive the username and password fromthe keyboard. In one embodiment, the user may also provide an OTP viathe input device 104, in addition to the user password. For example, theuser may use the keyboard to type in both a user password and an OTP.The OTP may be generated from a token device (e.g., a security tokensuch as Aladdin eToken®, OpenOTP®, etc.) and the user may enter the OTPusing the keyboard. In another example, the user may enter the userpassword using the keyboard and provide the OTP using another inputdevice (e.g., via a USB token, such as YubiKey®).

The network status manager 220 may monitor the connection status of thecomputing system 101. The network status manager 220 may use the networkinterface 105 when determining the network connection status of thecomputing system 101. For example, the network status manager 220 maydetermine whether the computing system 101 is connected to the network115 via the network interface 105. In one embodiment, the network statusmanager 220 may determine that the computing system 101 has an “online”network connection status if the computing system 101 can communicatewith the authentication server (e.g., server 110) and has an “offline”network connection status if the computing system 101 cannot communicatewith the authentication server.

The data store 216 may store data related to one or more usercredentials. For example, the data store 216 may store an OTP receivedby the computing system (e.g., received from a keyboard or from asecurity token). In another example, the data store may store multiplecached user passwords (e.g., one password per user of the computingsystem) or the user password provided by the user. In one embodiment,the cached password may be stored in the data store 216 from a previoususer login to the computing system. For example, the authentication tool200 may store the user password of the user from a previous successfullogin to the computing system 101. In another embodiment, the cachedpassword may be provided to the authentication tool 200 by an externalentity. For example, one or more user passwords may be stored in thedata store 216 by a system administrator who may setup the computingdevice. In another example, one or more user passwords may be receivedfrom a server 110 and may be stored in the data store 216. Although thedata store 216 is shown as part of the authentication tool 200, in otherembodiments, the data store 216 may reside in a different location. Forexample, the data store 216 may be stored in a memory and/or a harddrive in the computing system 101.

The credential verification tool 212 may authenticate the user passwordand/or the OTP received by the authentication tool 200. The credentialverification tool 212 may authenticate the user password provided by theuser against a cached user password stored in the data store 216. Thecached user password may be encrypted (e.g., hashed or encrypted forsecurity purposes) and the credential verification tool 212 may processthe user password (e.g., hash the user password) prior to authenticatingthe user password.

The credential verification tool 212 may also authenticate an OTP. Inone embodiment, the credential verification tool 212 may provide the OTPand the user password to the authentication server (e.g., server 110)for authentication. If the credential verification tool 212 is unable toauthenticate the OTP and the user password (e.g., because the computingsystem 101 cannot communicate with the authentication server), thecredential verification tool 212 may grant the user a first level ofaccess which may include more restricted access and/or permissions tothe computing system 101. For example, the user may be given only readpermissions to files and/or settings in the computing system 101. If thecredential verification tool 212 is able to authenticate the OTP and theuser password (e.g., because the computing system 101 can communicatewith the authentication server), the credential verification tool 212may grant the user a second level of access which may include greateraccess and/or permissions to the computing system 101, than the firstlevel of access. For example, the user may be given read and writepermissions to files and/or settings in the computing system 101.

FIG. 3 is a flow diagram illustrating a method 300 for granting accessto a computing system, in accordance with one embodiment. The method 300may be performed by processing logic that may include hardware (e.g.,circuitry, dedicated logic, programmable logic, microcode, etc.),software (e.g., instructions run on a processing device to performhardware simulation), or a combination thereof. In one embodiment, themethod 300 is performed by a computing system (e.g., the computingsystem 101 of FIG. 1).

Referring to FIG. 3, the method 300 starts with the computing systemreceiving one or more user credentials to access the computing system(block 304). The computing system may be locked (e.g., access to thecomputing system may be restricted) and the user may provide one or moreuser credentials to gain access to (e.g., login to) the locked computingsystem. In one embodiment, the one or more user credentials may includea user password and an OTP. The OTP may be received from a securitytoken (e.g., an OTP generation device such as a YubiKey® USB token)which may be coupled to the computing system. In another embodiment, thesecurity token may not be coupled to the computing system but thesecurity token may provide the OTP to the user (e.g., may display theOTP on a screen in the security token) and the user may provide the OTPto the computing system (e.g., via an input device such as a keyboard).The computing system checks whether the user password is valid (e.g.,authenticates the user password) at block 312. As discussed above, thecomputing system may authenticate the user password using a cachedpassword (e.g., a user password cached from a previous login). If theuser password is not valid, the method 300 ends.

If the user password is valid, the method 300 proceeds to block 316where the computing system determines whether the computing system isonline. As discussed above, the computing system may determine that thecomputing system is online if it is able to communicate with anauthentication server (e.g., server 110). If the computing system is notonline (e.g., offline), the computing system stores the OTP and the userpassword in memory (block 320) and grants the user a first level ofaccess to the computing system (block 324). As discussed above, thefirst level of access may include limited permissions and/or access tothe computing system (e.g., read only access to files and systemsettings).

If the computing system is online, the computing system provides the OTPto the authentication server and the authentication server determineswhether the OTP is valid (block 328). If the OTP is not valid, themethod 300 ends and the user is denied access to the computing system.If the OTP is valid, then the computing system grants the user a secondlevel of access to the computing system at block 332. Also as discussedabove, the second level of access includes more permissions and/oraccess to the computing system than the first level of access granted atblock 324 (e.g., read and write access to files and system settings).

In one embodiment (not shown in the figures), the authentication servermay also provide the user with an access ticket at block 332. The accessticket may grant the user permissions and/or access to network locations(e.g., websites and/or particular servers), network services (e.g.,processes or applications operating within the network), and/or thecomputing system. For example, the authentication server may provide theuser with a Ticket Granting Ticket (TGT). The TGT may allow a user toaccess a particular server and may grant the user access to thecomputing system (e.g., read and write access to files and systemsettings). In another embodiment, the access ticket may be used in aSingle Sign-On (SSO) system. In an SSO system, the SSO system mayauthenticate a credential (e.g., an OTP and/or a user password) andprovide the user with the access ticket (e.g., the TGT). The accessticket may grant the user access to all services, devices, and locationswhich use the SSO system to authenticate users.

FIG. 4 is a flow diagram illustrating a method 400 for granting accessto a computing system, in accordance with another embodiment. The method400 may be performed by processing logic that may include hardware(e.g., circuitry, dedicated logic, programmable logic, microcode, etc.),software (e.g., instructions run on a processing device to performhardware simulation), or a combination thereof. In one embodiment, themethod 400 is performed by a computing system (e.g., the computingsystem 101 of FIG. 1). In another embodiment, the method of 400 may beperformed after the method 300 of FIG. 3 has been performed by thecomputing system. For example, the method 400 may be performed afterblock 324 of the method 300 shown in FIG. 3.

Referring to FIG. 4, the method 400 starts at block 404, where the useris granted a first level of access to the computing system. At block408, the computing system determines whether or not the computing systemis online (e.g., whether the computing system can communicate with anauthentication server). If the computing system is not online, themethod loops back to block 408. In one embodiment, the computing systemmay periodically determine whether or not the computing system is online(e.g., check once every 60 seconds, or every 5 minutes, etc.). If thecomputing system is online (e.g., the computing system can communicatewith an authentication server), the computing system retrieves an OTPand the user password from memory (block 412). The OTP and the userpassword may have been previously provided to the computing system andpreviously stored in the memory by the computing system. For example,referring to FIG. 3, the OTP and the user password may have beenpreviously obtained at block 308 and may have been previously stored inthe memory at block 320.

At block 416, the computing system provides the OTP and the userpassword to the authentication server for authentication. If the OTP andthe user password are valid (block 420), the computing system grants theuser the second level of access to the computing system (block 424). Asdiscussed above, the second level of access may include more accessand/or permissions to the computing system than the first level ofaccess. In one embodiment, as discussed above, the authentication servermay also grant the user an access ticket at block 424. The access ticketmay grant the user access to network locations, network services,network resources, and/or the computing system. If the OTP and/or theuser password are not valid, the computing system may perform one ormore security measures (block 428). Security measures may include one ormore of: forcibly logging a user out of the computing system, promptingthe user for a second OTP, reducing the user's access permissions (e.g.,reducing the user's Security Enhanced Linux (SELinux) permissions orreducing a user's level of access using a mandatory access controlmechanism), preventing execution or startup of different applications,preventing the computing system from establishing certain connections(e.g., prevent connections to remote servers), etc.

FIG. 5 is a flow diagram illustrating a method for granting access to acomputing system, in accordance with a further embodiment. The method500 may be performed by processing logic that may include hardware(e.g., circuitry, dedicated logic, programmable logic, microcode, etc.),software (e.g., instructions run on a processing device to performhardware simulation), or a combination thereof. In one embodiment, themethod 500 is performed by a computing system (e.g., the computingsystem 101 of FIG. 1). In another embodiment, the method of 500 may beperformed after the method 400 of FIG. 4 has been performed by thecomputing system. For example, the method 500 may be a security measureperformed after block 428 of the method 400 shown in FIG. 4.

Referring to FIG. 5, the method 500 begins at block 504, wherein thecomputing system requests a second OTP. At block 508, the computingsystem receives the second OTP. In one embodiment, the second OTP may beprovided by a user via an input device (e.g., typed in by a user via akeyboard). In another embodiment, the second OTP may be provided by atoken device such as a YubiKey® USB token, via a USB interface of thecomputing system. The second OTP and the user password are provided toan authentication server for authentication, to determine if the secondOTP is valid. If the second OTP and the user password are valid, thecomputing system grants the user the second level of access to thecomputing system at block 516. As discussed above, the second level ofaccess may include more access and/or permissions to the computingsystem than the first level of access. In one embodiment, as discussedabove, the authentication server may also grant the user an accessticket at block 516. The access ticket may grant the user access tonetwork locations, network services, network resources, and/or thecomputing system. If the second OTP and/or the user password are notvalid, one or more security measures are performed (block 520). Forexample, if the user password is not valid, the user may be forciblylogged out of the computing system and may be denied all access to thecomputing system. In another example, if the user password is valid, butthe second OTP is not valid, another OTP may be requested (e.g., becausethe user entered the second OTP incorrectly, or because the second OTPmay be out of sync with the OTPs generated/stored by the authenticationserver).

FIG. 6 illustrates a diagrammatic representation of a machine in theexemplary form of a computer system 600 within which a set ofinstructions, for causing the machine to perform any one or more of themethodologies discussed herein, may be executed. In alternativeembodiments, the machine may be connected (e.g., networked) to othermachines in a Local Area Network (LAN), an intranet, an extranet, or theInternet. The machine may operate in the capacity of a server or aclient machine in a client-server network environment, or as a peermachine in a peer-to-peer (or distributed) network environment. Themachine may be a personal computer (PC), a tablet PC, a set-top box(STB), a Personal Digital Assistant (PDA), a cellular telephone, a webappliance, a server, a network router, switch or bridge, or any machinecapable of executing a set of instructions (sequential or otherwise)that specify actions to be taken by that machine. Further, while only asingle machine is illustrated, the term “machine” shall also be taken toinclude any collection of machines (e.g., computers) that individuallyor jointly execute a set (or multiple sets) of instructions to performany one or more of the methodologies discussed herein.

The exemplary computer system 600 includes a processor 602, a mainmemory 604 (e.g., read-only memory (ROM), flash memory, dynamic randomaccess memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a staticmemory 606 (e.g., flash memory, static random access memory (SRAM),etc.), and a secondary memory 616 (e.g., a data storage device), whichcommunicate with each other via a bus 630.

The processor 602 represents one or more general-purpose processingdevices such as a microprocessor, central processing unit, or the like.More particularly, the processor 602 may be a complex instruction setcomputing (CISC) microprocessor, reduced instruction set computing(RISC) microprocessor, very long instruction word (VLIW) microprocessor,processor implementing other instruction sets, or processorsimplementing a combination of instruction sets. The processor 602 mayalso be one or more special-purpose processing devices such as anapplication specific integrated circuit (ASIC), a field programmablegate array (FPGA), a digital signal processor (DSP), network processor,or the like. The processor 602 is configured to execute authenticationtool 200 for performing the operations and steps discussed herein.

The computer system 600 may further include a network interface device622. The network interface device may be in communication with a network621. The computer system 600 also may include a video display unit 610(e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), analphanumeric input device 612 (e.g., a keyboard), a cursor controldevice 614 (e.g., a mouse), and a signal generation device 620 (e.g., aspeaker).

The secondary memory 616 may include a computer-readable storage medium(or more specifically a computer-readable storage medium) 624 on whichis stored one or more sets of instructions for authentication tool 200embodying any one or more of the methodologies or functions describedherein. The instructions of the authentication tool 200 may also reside,completely or at least partially, within the main memory 604 and/orwithin the processor 602 during execution thereof by the computer system600, the main memory 604 and the processor 602 also constitutingcomputer-readable storage media. The instructions of the authenticationtool 200 may further be transmitted or received over a network via thenetwork interface device 622.

While the computer-readable storage medium 624 is shown in an exemplaryembodiment to be a single medium, the term “computer-readable storagemedium” should be taken to include a single medium or multiple media(e.g., a centralized or distributed database, and/or associated cachesand servers) that store the one or more sets of instructions. The term“computer-readable storage medium” shall also be taken to include anymedium that is capable of storing or encoding a set of instructions forexecution by the machine that cause the machine to perform any one ormore of the methodologies of the present invention. The term“computer-readable storage medium” shall accordingly be taken toinclude, but not be limited to, solid-state memories, and optical andmagnetic media.

Some portions of the detailed descriptions above are presented in termsof algorithms and symbolic representations of operations on data bitswithin a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise, as apparent from the followingdiscussion, it is appreciated that throughout the description,discussions utilizing terms such as “receiving,” “authenticating,”“storing,” “detecting,” “retrieving,” “granting,” “performing,”“locking,” or the like, refer to the action and processes of a computersystem, or similar electronic computing device, that manipulates andtransforms data represented as physical (electronic) quantities withinthe computer system's registers and memories into other data similarlyrepresented as physical quantities within the computer system memoriesor registers or other such information storage, transmission or displaydevices.

Embodiments of the present invention also relate to an apparatus forperforming the operations herein. This apparatus may be speciallyconstructed for the required purposes, or it may be a general purposecomputer system selectively programmed by a computer program stored inthe computer system. Such a computer program may be stored in a computerreadable storage medium, such as, but not limited to, any type of diskincluding optical disks, CD-ROMs, and magnetic-optical disks, read-onlymemories (ROMs), random access memories (RAMs), EPROMs, EEPROMs,magnetic disk storage media, optical storage media, flash memorydevices, other type of machine-accessible storage media, or any type ofmedia suitable for storing electronic instructions, each coupled to acomputer system bus.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct a more specializedapparatus to perform the required method steps. The required structurefor a variety of these systems will appear as set forth in thedescription below. In addition, the present invention is not describedwith reference to any particular programming language. It will beappreciated that a variety of programming languages may be used toimplement the teachings of the invention as described herein.

It is to be understood that the above description is intended to beillustrative, and not restrictive. Many other embodiments will beapparent to those of skill in the art upon reading and understanding theabove description. Although the present invention has been describedwith reference to specific exemplary embodiments, it will be recognizedthat the invention is not limited to the embodiments described, but canbe practiced with modification and alteration within the spirit andscope of the appended claims. Accordingly, the specification anddrawings are to be regarded in an illustrative sense rather than arestrictive sense. The scope of the invention should, therefore, bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

What is claimed is:
 1. A method, comprising: receiving a credential toaccess a computer system, the credential comprising a user password anda one-time password (OTP); authenticating, by a processor, the userpassword using a cached password; when the computer system is unable toaccess an authentication server and unable to authenticate the OTP usingthe authentication server, storing the OTP and the user password in amemory of the computer system and granting, by the processor, a user afirst level of access to the computer system, wherein the first level ofaccess is granted in view of the authentication, by the processor, ofthe user password using the cached password and without authenticatingthe OTP; checking whether the computer system is able to access theauthentication server; and when the computer system is able to accessthe authentication server, authenticating the stored OTP using theauthentication server and granting, by the processor, the user a secondlevel of access to the computer system, the second level of access beingdifferent than the first level of access, and wherein the second levelof access grants the user an access ticket to access one or more ofnetwork resources.
 2. The method of claim 1, further comprising: afterauthenticating the stored OTP and the stored user password, granting theuser the access ticket to access the one or more of network resourcesand network services.
 3. The method of claim 1 further comprising: afterfailing to authenticate the stored OTP or the stored user password,performing one or more security measures.
 4. The method of claim 3,wherein performing the one or more security measures comprises lockingthe computer system when the stored user password is invalid.
 5. Themethod of claim 3, wherein performing the one or more security measurescomprises: requesting a second OTP when the stored OTP is invalid;receiving the second OTP; authenticating the second OTP and the storeduser password using the authentication server; and after authenticatingthe second OTP and the stored user password, granting the user thesecond level of access to the computer system.
 6. The method of claim 5,further comprising: after failing to authenticate the second OTP or thestored user password, locking the computer system.
 7. The method ofclaim 1, wherein the OTP comprises an event-based OTP.
 8. An apparatuscomprising: a memory to store a plurality of one-time passwords; and aprocessor, operatively coupled to the memory, to: receive a credentialto access a computer system, the credential comprising a user passwordand a one-time password (OTP); authenticate the user password using acached password; when the computer system is unable to access anauthentication server and unable to authenticate the OTP using theauthentication server, store the OTP and the user password in a memoryof the computer system and grant a user a first level of access to thecomputer system, wherein the first level of access is granted in view ofthe authentication, by the processor, of the user password using thecached password and without authenticating the OTP; check whether thecomputer system is able to access the authentication server; and whenthe computer system is able to access the authentication server,authenticating the stored OTP using the authentication server andgranting the user a second level of access to the computer system, thesecond level of access being different than the first level of access,and wherein the second level of access grants the user an access ticketto access one or more of network resources.
 9. The apparatus of claim 8,wherein the processor is further to: after authenticating the stored OTPand the stored user password, grant the user the access ticket to accessthe one or more of network resources and network services.
 10. Theapparatus of claim 8, wherein the processor is further to: after failingto authenticate the stored OTP or the stored user password, perform oneor more security measures.
 11. The apparatus of claim 10, wherein toperform the one or more security measures, the processor is to lock thecomputer system when the stored user password is invalid.
 12. Theapparatus of claim 10, wherein to perform the one or more securitymeasures, the processor to: request a second OTP when the stored OTP isinvalid; receive the second OTP; authenticate the second OTP and thestored user password using the authentication server; and afterauthenticating the second OTP and the stored user password, grant theuser the second level of access to the computer system.
 13. Theapparatus of claim 12, wherein the processor is further to: afterfailing to authenticate the second OTP or the stored user password, lockthe computer system.
 14. The apparatus of claim 8, wherein the OTPcomprises an event-based OTP.
 15. A non-transitory machine-readablestorage medium including data that, when accessed by a processor, causethe processor to: receive, by the processor, a credential to access acomputer system, the credential comprising a user password and aone-time password (OTP); authenticate the user password using a cachedpassword; when the computer system is unable to access an authenticationserver and unable to authenticate the OTP using the authenticationserver, store the OTP and the user password in a memory of the computersystem and granting, by the processor, a user a first level of access tothe computer system, wherein the first level of access is granted inview of the authentication, by the processor, of the user password usingthe cached password and without authenticating the OTP; check whetherthe computer system is able to access the authentication server: andwhen the computer system is able to access the authentication server,authenticate the stored OTP and the user password using theauthentication server and granting, by the processor, the user a secondlevel of access to the computer system, the second level of access beingdifferent than the first level of access, and wherein the second levelof access grants the user an access ticket to access one or more ofnetwork resources.
 16. The non-transitory machine-readable storagemedium of claim 15, wherein the processor is further to: afterauthenticating the stored OTP and the stored user password, grant theuser the access ticket to access the one or more of network resourcesand network services.
 17. The non-transitory machine-readable storagemedium of claim 15, wherein the processor further to: after failing toauthenticate the stored OTP or the stored user password, perform one ormore security measures.
 18. The non-transitory machine-readable storagemedium of claim 17, wherein to perform the one or more security measuresthe processor to lock the computer system when the stored user passwordis invalid.
 19. The non-transitory machine-readable storage medium ofclaim 17, wherein to perform the one or more security measures theprocessor to: request a second OTP when the stored OTP is invalid;receive the second OTP; authenticate the second OTP and the stored userpassword using the authentication server; and after authenticating thesecond OTP and the stored user password, grant the user the second levelof access to the computer system.
 20. The non-transitorymachine-readable storage medium of claim 19, wherein the processorfurther to: after failing to authenticate the second OTP or the storeduser password, lock the computer system.